--with-vfs and ACLs problem

Esh, Andrew AEsh at tricord.com
Thu Jun 20 15:32:02 GMT 2002

Helpful info to answer Mr. Sharpe's questions:

To find the domain SID of any domain controller:

	rpcclient //ip-or-netbios-name-of-domain-controller -U
DOMAIN+Username%password -c lsaquery

To find the MACHINE SID of the Samba server:

	tdbtool /usr/local/samba/private/secrets.tdb
	(keep hitting return until you see the key
	(convert the second through seventh 32-bit words of the key's value
into decimal and pre-pend "S-1-")

For example, the secrets.tdb entry:
key 17 bytes
[000] 53 45 43 52 45 54 53 2F  53 49 44 2F 50 4C 55 54  SECRETS/ SID/PLUT
[010] 4F                                                O 
data 68 bytes
[000] 01 04 00 00 00 00 00 05  15 00 00 00 69 87 68 E6  ........ ....i.h.
[010] 0C C7 2C 3B 06 A9 51 9D  00 00 00 00 00 00 00 00  ..,;..Q. ........

converts to:


(Remeber it's little-endian, so the hex number to convert for the third word
is: E6688769.)
-----Original Message-----
From: Richard Sharpe [mailto:rsharpe at ns.aus.com]
Sent: Thursday, June 20, 2002 6:07 PM
To: Nir L
Cc: esteadle at spinnakernet.com; samba-technical at samba.org
Subject: Re: --with-vfs and ACLs problem

On Thu, 20 Jun 2002, Nir L wrote:

> The problem is, that my Client Workstations are displaying correct account
names when looking for ACL's of files of all the NT servers in the DOMAIN.
The Client has no problem with that. It has problem when trying to translate
SID's of the DOMAIN that were created by Samba.
> So - My guess is that after all the problem is with the samba creating the
SID's and not with the clients or the PDC. Maybe something on the ACL that
is returned makes the client NOT requesting for more info from the PDC.
> But - I don't know what it is...

Are you working in a domain trusts environment? 

Prior to 2.2.4, I think, Samba was doing silly things when constructing 
the token for a user just logging on. It was using its own DOMAIN SID and 
the RID from the incoming token, rather than the DOMAIN SID of the domain 
they authenticated in.

This could create some silly problems.

The other thing that might be happening, depending on your code, is that 
the user's local SID might be used, and if you are not using winbindd, 
this might not be being handled properly.

What do the SIDs look like? Can you relate them to the machine SID for 
Samba or the DOMAIN SID for your domain?

Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the samba-technical mailing list